Snort mailing list archives
Re: Question about "stream5: TCP 4-way handshake detected"
From: Victor Roemer via Snort-users <snort-users () lists snort org>
Date: Wed, 1 Nov 2017 13:45:26 -0400
Fairly confident this alert is for the 4-way variant of the typical 3-way handshake.
Like so |a( syn ) b( ack ) b( syn ) a( ack ) |however, several years ago, someone noticed some peculiar behavior where the the the initiating host (read client), upon receiving a syn response (not a syn+ack) would result in the the client sending a |syn+ack| back to the server; the handshake then tends to look like this:
|a( syn ) b( syn ) a( syn,ack ) b( ack ) |Which at the time (probably still true), would cause many middleboxes on a network to reverse the tracking. E.g. now your firewall thinks your web browser is the server.
--I googled a bit, found this which looks to be written by the same fellows https://nmap.org/misc/split-handshake.pdf
On 11/1/17 1:23 PM, wkitty42 () windstream net wrote:
On 11/01/2017 11:22 AM, agustin larrarte via Snort-users wrote:Hi,I would like to ask for advice on this alert. We are receiving many alerts from one unique ip address on our environment for this event. We have been looking for documentation or aid online trying to figure out what this alert event means but we can't find anything snort related. Is this related to the 4 way TCP close connection handshake? why is this alert being triggered?129:13 is, indeed, the rule for announcing that a "TCP 4-way handshake has been detected"... not any specific part (close connection??) of it.. the whole handshake...to find out more about what's going on, you need to capture those packets (wireshark, tcpdump, etc) and study the sessions... if it is legit traffic, then handle the rule in threshold.conf... if not, reconfigure the problematic system/software or otherwise clean it up if it is not legit for your network...
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Question about "stream5: TCP 4-way handshake detected" agustin larrarte via Snort-users (Nov 01)
- Re: Question about "stream5: TCP 4-way handshake detected" wkitty42 (Nov 01)
- Re: Question about "stream5: TCP 4-way handshake detected" Victor Roemer via Snort-users (Nov 01)
- Re: Question about "stream5: TCP 4-way handshake detected" agustin larrarte via Snort-users (Nov 02)
- Re: Question about "stream5: TCP 4-way handshake detected" Victor Roemer via Snort-users (Nov 01)
- Re: Question about "stream5: TCP 4-way handshake detected" wkitty42 (Nov 01)